Sub-processors
Version 1.0 · Effective 2026-04-20
1. About this page
This page lists the third-party service providers ("sub-processors") that process personal data on behalf of Blob Solutions LLC in operating the VCR.AM service. It complements our Privacy Policy and the optional Data Processing Addendum.
A sub-processor is any external provider that we engage to assist us in delivering the Service and that, in the course of doing so, may process personal data relating to our users or their customers.
2. How we evaluate sub-processors
Before engaging a new sub-processor we assess:
- Security posture — published certifications (SOC 2, ISO 27001, PCI DSS where relevant), encryption in transit and at rest, incident response.
- Data protection terms — availability of a Data Processing Addendum, Standard Contractual Clauses (SCCs) for international transfers, and published retention/deletion practices.
- Necessity — whether the provider is essential to the Service or replaceable without material degradation.
- Transparency — whether the provider publishes its own sub-processor list, audit reports, and transparency reports.
3. Current sub-processors
Data in the table below is current as of the "Effective" date at the top of this page.
| Provider | Role | Data categories | Primary region | DPA / SCCs |
|---|---|---|---|---|
| Vercel Inc. (vercel.com) | Application hosting, edge network, Vercel Analytics, Vercel Speed Insights | All request/response data, infrastructure logs, aggregated telemetry | United States (global edge) | Vercel DPA with SCCs |
| Neon Database Inc. (neon.tech) | Managed PostgreSQL database | All persistent application data (accounts, business entities, transactions, sessions) | European Union — Frankfurt (eu-central-1) | Neon DPA with SCCs |
| Amazon Web Services, Inc. — SES (aws.amazon.com/ses) | Outbound email delivery (receipts, account, notifications) | Recipient email address, email subject and body | United States (us-east-1) | AWS DPA with SCCs |
| Amazon Web Services, Inc. — S3 (aws.amazon.com/s3) | Document storage (SRC certificates, PDF receipts) | Encrypted certificate files, generated PDF receipts | United States (us-east-1) | AWS DPA with SCCs |
| Fly.io, Inc. (fly.io) | SRC gateway and certificate issuance services | Encrypted SRC credentials in transit, per-request metadata | United States / regional edges | Fly.io DPA with SCCs |
| Google LLC — Google Analytics 4 (analytics.google.com) | Pseudonymous usage analytics on public marketing pages | Truncated IP, user agent, page-view events, anonymised client ID | United States | Google Ads Data Processing Terms with SCCs |
| Google LLC — Cloud Translation (cloud.google.com/translate) | On-demand machine translation for optional translation features | Text strings submitted by the user for translation | United States | Google Cloud DPA with SCCs |
| Sentry (sentry.io) | Application error and performance monitoring | Error stack traces, request metadata (URL, user agent), optional user ID | United States | Sentry DPA with SCCs |
4. Infrastructure services that are not sub-processors
The following are used to operate the Service but are not considered sub-processors of personal data under the meaning of the Privacy Policy, because they do not handle user or customer personal data:
- GitHub, Inc. — source code hosting, CI/CD. No production personal data is transmitted to GitHub.
- Cloudflare, Inc. — DNS and domain registration. No application data passes through Cloudflare at this time.
- Pingdom / uptime monitors — public endpoint availability checks only.
We will add any of these to the sub-processor list if their role changes.
5. State Revenue Committee of the Republic of Armenia
The SRC is not a sub-processor. It is a recipient of transaction data under a legal obligation (Government Resolution No. 1976 of 03.12.2020). Submitting transaction data to the SRC is the primary purpose of the Service — see the Privacy Policy for details.
6. Notifying you of changes
We announce new sub-processors and material changes (for example, a new region where personal data is processed) at least 14 days before they take effect:
- An update is posted to this page with a new version number and "Effective" date.
- Where the change materially affects personal data, a notice is sent by email to account holders.
If you object to a new sub-processor, you may terminate your account without penalty before the change takes effect. Data required to be retained by law will continue to be retained as described in the Privacy Policy.
7. Exercising audit and information rights
Business customers may request our most recent SOC 2 / ISO 27001 reports and copies of DPAs and SCCs by writing to support@vcr.am with the subject "Sub-processor audit request". We will respond within 30 calendar days.
8. Change log
- v1.0 — 2026-04-20 — Initial publication. Active sub-processors: Vercel, Neon, AWS (SES + S3), Fly.io, Google (GA4 + Cloud Translation), Sentry.
9. Contact
Blob Solutions LLC · Email: support@vcr.am
For the general Privacy Policy, see /legal/privacy. For the Data Processing Addendum available to business customers, see /legal/dpa.